Vulnerability Database / CVE-2026-26079 CVE-2026-26079: Roundcube Webmail CSS Injection Vulnerability CVE-2026-26079 is a CSS injection flaw in Roundcube Webmail that enables XSS attacks through mishandled comments. This article covers the technical details, affected versions before 1.5.13 and 1.6.13, and mitigation steps. Published : February 13, 2026 CVE-2026-26079 Overview CVE-2026-26079 is a Cascading Style Sheets (CSS) injection vulnerability affecting Roundcube Webmail versions before 1.5.13 and 1.6.x before 1.6.13 . The vulnerability exists due to improper handling of CSS comments, which allows attackers to inject malicious CSS code into webmail content. This type of vulnerability can be exploited to exfiltrate sensitive information, manipulate the visual appearance of emails, or conduct phishing attacks by modifying the user interface. Critical Impact Attackers can inject arbitrary CSS through crafted email content, potentially enabling data exfiltration via CSS selectors, UI manipulation for phishing, or tracking user activity without JavaScript execution. Affected Products Roundcube Webmail versions prior to 1.5.13 Roundcube Webmail versions 1.6.x prior to 1.6.13 Self-hosted and managed Roundcube installations using vulnerable versions Discovery Timeline February 8, 2026 - Roundcube releases security updates 1.6.13 and 1.5.13 February 11, 2026 - CVE-2026-26079 published to NVD February 11, 2026 - Last updated in NVD database Technical Details for CVE-2026-26079 Vulnerability Analysis The vulnerability exists within Roundcube Webmail's CSS sanitization mechanism, specifically in the rcube_utils.php file. The root cause stems from inadequate handling of HTML and CSS comments within inline styles and style blocks. Prior to the patch, the CSS sanitization function failed to properly remove CSS comments before performing security checks, allowing attackers to craft malicious CSS that could bypass the XSS and injection filters. CSS injection vulnerabilities are particularly concerning in webmail applications because they can be exploited without requiring JavaScript execution. Attackers can leverage CSS selectors to detect the presence of specific content, exfiltrate data character-by-character using attribute selectors and external resource loading, or manipulate the visual presentation to conduct sophisticated phishing attacks. According to the commit messages, this vulnerability was reported by CERT Polska. Root Cause The vulnerability originates from a flaw in the comment handling logic within the mod_css_styles function in program/lib/Roundcube/rcube_utils.php . The original implementation removed HTML comments but did not properly strip CSS comments before performing security validation. This allowed attackers to embed malicious CSS directives within comment structures that would be preserved and rendered by the browser. The fix introduces a dedicated remove_css_comments() function and adds additional validation to detect any remaining comment markers after the sanitization process. If comments are still present after removal, the entire CSS block is flagged as malicious and replaced with /* evil! */ . Attack Vector The attack can be carried out remotely over the network by sending a specially crafted email containing malicious CSS to a Roundcube user. The user must open or preview the email for the attack to succeed, requiring user interaction. The attack does not require authentication on the attacker's part, as they only need to send an email to the target. The security patch addresses this by implementing comprehensive CSS comment removal: php return '/* invalid! */'; } + // remove html and css comments + $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source); + $source = self::remove_css_comments($source); + // To prevent from a double-escaping tricks we consider a script with // any escape sequences (after de-escaping them above) an evil script. // This probably catches many valid scripts, but we\'re on the safe side. if (preg_match('/\\\\[0-9a-fA-F]{2}/', $source)) { return '/* evil! */'; } - // remove html comments - $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source); + // If after removing comments there are still comments it's most likely a hack + if (strpos('/*', $source) !== false || strpos('<!--', $source) !== false) { + return '/* evil! */'; + } $url_callback = static function ($url) use ($allow_remote) { if (strpos($url, 'data:image') === 0) { Source: Roundcube Security Commit A subsequent commit fixed a regression in the argument order for strpos() : php } // If after removing comments there are still comments it's most likely a hack - if (strpos('/*', $source) !== false || strpos('<!--', $source) !== false) { + if (strpos($source, '/*') !== false || strpos($source, '<!--') !== false) { return '/* evil! */'; } Source: Roundcube Regression Fix Detection Methods for CVE-2026-26079 Indicators of Compromise Emails containing unusual CSS comment structures such as